Big Trouble in Little Infosec

October 29th, 2013

The security “community” has been so incredibly drama-laden this year (largely due to media sensationalism and that wily A-P-T, yeah you know me!) that it’s been tough to stomach. That’s really not me being curmudgeonly, honest. I’ve had a fascinating year, done some amazing work with clients, and seen at least a good number of incredibly smart friends and colleagues at industry events and elsewhere. So, what’s got me wound up? Well, it’s that time of year, first of all. As a consultant who travels internationally a LOT, and stays busier than a rational human should be, I am reaching a point of exhaustion where I start reflecting on what I’ve seen and thinking a bit more philosophically about the state of the “industry”. Second, I’ve really had some big insights personally, just seeing things a bit more clearly for what they are.

You may have noticed that I surrounded the terms “community” and “industry” in quotes. That’s intentional. And directly related to concern #1:

If we’re a “community”, what are our values? And why do we qualify as an “industry”?

I’ll explain. From what I’ve seen, it might be time for us to work a little harder at helping the “normals” get secure. I know we THINK we all do. But ya know what? We’re NOT approachable. We are very quick to judge people not fit to compute. And that, my friends, is 99% of the world, in our eyes. We have to lower our bar, try to be a bit more understanding of Facebook people, and start solving the real problems of awareness and usage scenarios. And, uh, misogyny in IT. Or at least infosec. Really, being a bigot to women is pathetic these days. Especially if you are a fat, white and pasty nerdbot that doesn’t see much daylight.

As to the “industry” thing…please. Everything about infosec is a “feature”. We are not IT. We are not “risk”. We are a part of both. Yes, there’s money here. But we are NOT a strategic element. We’re a small piece of the business equation, no matter how important we think we are. Maybe, in some industries and situations. But not as “the norm”.

And so…problem #2: We think we’re more important than we are.

True, sadly. Especially the pompous CSO types who puff their chests out and talk about “metrics” and “governance” and “GRC” and “advanced threats”. We have a lot of the “let’s preen and act important” game going on, where people act very serious and try hard to dress nice and seem like they know what’s happening. Pffft. These folks are reacting just like everyone else, and the last fucking thing we need is more corporate politicians. Take your “GRC” and “dashboards” and go do something better suited, like create a colorful chart. UNLESS…you cover for the real team that actually does shit. And maybe once in a while, you enact some changes through your amazing PowerPoint skills of persuasion. Which leads me to #3:

We need a LOT less talkers. And a lot MORE “do-ers”.

Seriously. I’ve said this before. More than a few times, really. But what I see out there is concerning, folks. I see a lot of infosec professionals who, candidly, suck. Basic Windows skills and ability to fill out Word docs does NOT an infosec professional make. You need admin skills, network skills, DB skills, some code, and maybe more to be a well-rounded infosec person. Most are not. Some can learn, and want to. But many are in it for the perceived paycheck. If you are 20 years in and can’t use Linux, don’t expect me to give two fucks about you and your career. Because you don’t care. And neither do I. This isn’t a cushy 9-5, maybe we’ll get a pension someday, kind of gig. Keep learning, evolve or die. And if you DO care, and are trying to switch careers? I’m your biggest fan. I’ll help anyway possible.

And finally? Another topic I’ve harped on, at #4:

Bo don’t know code. And neither does infosec.

We need more people to code. Less click, more code. App issues are the now AND the future. If you can’t handle that…you’re on the way to dinosaur, sorry.

These are some harsh realizations. But really, we look at infosec and data breaches and wonder why things aren’t better. What if we’re a big part of the problem?

It’s main problem is that probably not one out of a hundred “infosec professionals” knows what the concept of “security” actually IS. And you can’t have what you can’t even define. Especially when “security” CAN’T be had in reality.

Infosec is like a guy building a cannon to shoot himself to the moon. He doesn’t even know that what he’s trying to do isn’t possible in the first place.

I’ve spent the last thirty years thinking about “security”. I’ve ended up with my meme: “You can haz better security, you can haz worse security. But you cannot haz ‘security’. There is no security. Deal.”

Well said. Mis-configurations, poor software design, default accounts, people not caring, people not listening. I am resolved to sit in my chair on the sidewalk, with my cooler of beer, and enjoy the show as everyone that does not care, those that do not listen, those that do not comprehend, and those that cannot fathom X/Y/Z, are run over by the bus. You can yell at the top of your lungs “Get out of the way of the fucking bus!!!!” But most seem more interested in winning the Darwin award of the year. So I tally up another idiot run over by a bus, take another sip of my ice cold Fat Tire beer, and enjoy the sunshine.

I agree with a good chunk of your points. Security, by nature, only is beneficial if action is taken, so accomplishment at the tactical level is key, key, key. While I’m a CISO, I have held various systems administration jobs and IT management jobs in my career, so getting things actually done in IT is part of my psyche.

Let me know if this resonates with you, or if I misinterpreted you…or maybe you just disagree. That’s cool too.

Sometimes, in order to make sure problems are >90% solved, you can’t leave it to “everyone doing their best, independently”. Solving larger problems takes some coordination and collaboration with people that aren’t making it a priority to fix the problems. IT and business people are equally guilty. If they don’t appreciate the need on their own or with education from peers, maybe they are *encouraged* to appreciate it. Regardless, they need to prioritize security remediation activities, and someone has to expose and talk about where the risks are. It comes down to saying something and finding the best way to have the other party actually *hear/understand* you. Sometimes that’s pictures, sometimes that’s prioritization exercises like GRC (although you can do this poorly too).

Just like we can’t take management of society’s rules ourselves any more (the Wild West or other countries where warlords rule and there is a non-functioning government), we do need a structure to solve problems across groups that are not working together, for whatever reason. Sometimes it is not being educated, sometimes there are very few resources and there are other priorities, sometimes they simply don’t want to. My guess is you’d want someone else to “translate” and “educate” these folks.

Not all infosec people need to touch code to be effective at fixing infosec problems.